{
	"id": "1b60d9ec-ac48-4b68-a10c-592ea4df8038",
	"created_at": "2026-04-06T00:11:38.253549Z",
	"updated_at": "2026-04-10T03:20:57.26081Z",
	"deleted_at": null,
	"sha1_hash": "667af9faef73779e0fde44e1eff9202075f2f8b9",
	"title": "Third-Party App Stores Delivered via the iOS App Store",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74109,
	"plain_text": "Third-Party App Stores Delivered via the iOS App Store\r\nBy Trend Micro ( words)\r\nPublished: 2017-03-23 · Archived: 2026-04-05 21:51:17 UTC\r\nThe iOS ecosystem is usually described as a closed ecosystem, under the strict control of Apple. However, there\r\nare still ways to get around this tight control. Remember the Haima app? That method relied on enterprise\r\ncertificates from Apple—which are costly, since the certificates needed are changed very frequently.\r\nWe are currently seeing how third-party app stores are improving. Recently, we saw an app that leads to a third-party app store being offered on the official iOS App Store. To evade detection, this app was concealed as a\r\nlegitimate app. In at least one case, an app used for jailbreaking was available via this third-party app store.\r\nIt is unclear exactly who the target of this malicious app is. The account book app is designed with Japanese\r\ncharacters, but the app store itself is written in Mandarin Chinese. In addition, it was found in the App Store of\r\nmultiple countries.\r\nThis app is named “こつこつ家計簿-無料のカレンダー家計簿”, which translates to “Household Accounts\r\nApp”. This app appears to be a financial helper app for families, but it is actually a third-party app store. Apple has\r\nsince removed it from the App Store.\r\nintel\r\nFigure 1. Household account app in iOS App Store\r\nintel\r\nFigures 2-4. Various stages of app launch\r\nThe code (Figure 5, below) reveals that it checks the PPAASSWOpenKey key in the system’s user preference plist\r\nwhen it first starts up. This key is used by the app to determine if the app has run before: as it hasn’t, the key does\r\nnot exist. The app switches to the else branch, which requests the right to use data to access the third-party store.\r\nBecause of iOS’s permission mechanism, this request needs to be approved specifically by the user (Figure 2).\r\nThe first request therefore fails, so the app jumps to the account book view and pretends to be a legitimate app\r\n(Figure 3). The text in Figure 3 claims that data access is necessary for exporting information from the app.\r\nintel\r\nFigure 5. Code for switching to account book view (Click to enlarge)\r\nSo long as the app is not closed or goes to the background, the app will stay in the account book view. However,\r\nonce it enters the background, it again attempts to connect to the third-party store. This time, it should succeed,\r\nand instead of seeing the account book view, the user will instead see the third-party app store (Figure 4).\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/\r\nPage 1 of 4\n\nFigure 6. Code for switching to third-party app store view (Click to enlarge)\r\nWhy would the creators of the third-party app store need this particular behavior? Putting their app store inside\r\nApple's official one makes it easier for would-be users to access it, but subterfuge is needed to pass Apple’s\r\nscrutiny.\r\nInstalling the apps\r\nAfter successfully making it into the App Store, the third-party app store then needs to be able to install apps. To\r\ndo this, the app's creator employs a technique generally used to install apps signed with enterprise certificates. The\r\ntechnique involves the creation of a plist file, which is used to install apps. Figure 7 shows an example plist file\r\n(note that this file is not the same as those used by this third-party store).\r\nintel\r\nFigure 7. Sample plist file\r\nThen, creating a link as shown below:\r\nitms-services://?action=download-manifest\u0026amp;url=https://{web server address}/install_app.plist.\r\nBy opening the URL, the app is installed. For apps signed with an Apple certificate, there's an additional catch: the\r\napp must have been purchased with the user's Apple ID. This is why the app asks for the user's Apple ID, so it can\r\ncomplete the purchase process:\r\nFigures 8-11. Stages of app installation\r\nintel\r\nFigure 12. Code for creation of plist file and installation link (Click to enlarge)\r\nintel\r\nFigure 13. Code for creation of app installation process (Click to enlarge)\r\nMalware Distribution\r\nIn addition to apps already present in the App Store, it can also sell apps which are not normally distributed via the\r\nApp Store. Unfortunately, this can include malware and other unwanted applications.\r\nAn example is the app called “PG Client”, which is a tool for jailbreaking iOS devices. It was once available on\r\nthe App Store, but has already been removed. It is still available for download via the third-party app store:\r\nintel\r\nFigure 14. PG Client\r\nOther malicious apps will often ask users to download the PPHelper app on their PC, which is also an iOS\r\njailbreaking tool. This is installed on a PC/Mac and the user is asked to connect their iOS device to the said\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/\r\nPage 2 of 4\n\nPC/Mac. PPHelper gets some files associated with the user's authorization from the device and communicates\r\nwith it as if it was iTunes, effectively bypassing some of the DRM protection of iOS.\r\nintel\r\nFigures 15-17. Stages of requesting user to connect PC helper app \r\nintel intel\r\nFigures 18-19. Code requesting the user's device authorization\r\nPromoting Other Apps For Money\r\nThis particular app was not the only problematic app we saw in the App Store. We found another one called “爱应\r\n用助手”, which translates to “LoveApp”. This is designed to be used to promote apps that are already in the App\r\nStore. This, in effect, bypasses either Apple’s arrangement of apps in searches and the paid Search Ads option.\r\nThis app makes its money from developers who want to promote their wares without going through Apple's\r\npromotion service.\r\niOS includes various APIs that are meant to allow a developer to easily display their app's page. LoveApp uses\r\nthis to easily direct users from its own listings to the App Store listing of the promoted apps:\r\nintel\r\nFigure 20. Installation of promoted app\r\nThe \"LoveApp\" is in the background, with the App Store window of the promoted app in the foreground. The\r\ncode that does this can be seen here:\r\nintel\r\nFigure 21. Code for opening the App Store window (Click to enlarge)\r\nFrom a privacy perspective, LoveApp has multiple issues. Firstly, during installation, it uploads some user\r\nattributes to their servers, including their advertising identifier (idfa). This is primarily used to count the number\r\nof downloads.\r\nintel\r\nFigure 22. User attributes uploaded\r\nIn addition, it also uses a third-party SDK called TalkingData. The app uses it to gather information about the\r\nuser's behavior:\r\nintel\r\nFigure 23. TalkingData call\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/\r\nPage 3 of 4\n\nThis SDK, however, has many aggressive API calls. Its capabilities include acquiring various parts of the user's\r\nsystem information (including the Wi-Fi network name, running processes, and IP address). If the user's phone has\r\nbeen jailbroken, the SDK can also gather the user's Apple ID and installed apps. This is enough for us to consider\r\nit a potentially unwanted application.\r\nintel\r\nFigure 24. Other aggressive API calls (Click to enlarge)\r\nRisks and Mitigation\r\nWe recommend that users be careful about downloading apps from third-party app stores. Apple can't endorse the\r\nsafety of any of the apps delivered via third-party stores, and such is the case here: users are still exposing\r\nthemselves to various security threats (including malware and other unwanted apps). Organizations should put in\r\nplace policies to reduce the risk from these malicious apps, such as blocking unapproved app stores and\r\nsafeguarding personal devices.\r\nWe notified Apple about the presence of both of these apps in the iOS App Store prior to publication of this blog\r\npost. The following files are related to this incident:\r\nSHA256 hash Detection name\r\n212015dbae6e36c703c513f762413ffe fe5ad58720c22abb696bca94f3b6c14b IOS_FakeAppStore.A\r\nadcfa3d540f78297dde3dcbf0191271d 8592911d71703ce853b6de622421c1fb IOS_JailBreakTool.A\r\nc75777079d72c43516adc7bdee4db447 f22bbd25af26c08bcee42f885a820866 IOS_FakeAppStore.A\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/"
	],
	"report_names": [
		"user-beware-rooting-malware-found-in-3rd-party-app-stores"
	],
	"threat_actors": [],
	"ts_created_at": 1775434298,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/667af9faef73779e0fde44e1eff9202075f2f8b9.pdf",
		"text": "https://archive.orkl.eu/667af9faef73779e0fde44e1eff9202075f2f8b9.txt",
		"img": "https://archive.orkl.eu/667af9faef73779e0fde44e1eff9202075f2f8b9.jpg"
	}
}